This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:policies:access [2023/04/13 15:38] katcow [IV. Audit Trails and Logging] |
wiki:policies:access [2024/01/24 19:42] (current) katcow [Revision History] |
||
---|---|---|---|
Line 10: | Line 10: | ||
=== Affected Systems: === | === Affected Systems: === | ||
- | This policy applies to all computer and communication systems owned or operated by Nested Knowledge and its subsidiaries. Systems include company shared drives, purchased software, as well as access to the Nested Knowledge AutoLit review platform. Similarly, this policy applies to all platforms (operating systems) and all application systems. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy. | + | This policy applies to all computer and communication systems owned or operated by Nested Knowledge and its subsidiaries. Systems include |
===== III. Access Control Policy ===== | ===== III. Access Control Policy ===== | ||
Line 21: | Line 21: | ||
* Unique user identifier | * Unique user identifier | ||
* Password | * Password | ||
+ | * MFA device (Authenticator applications or physical device) | ||
+ | * Dictated by [[: | ||
=== System Access Controls: === | === System Access Controls: === | ||
Access controls will be applied to all computer-resident information based on the class of the data and information to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. | Access controls will be applied to all computer-resident information based on the class of the data and information to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. | ||
- | |||
=== Administrative Privileges: === | === Administrative Privileges: === | ||
- | Access to Nested Knowledge Systems is managed by internal administrators who approve employees and contractors. For sensitive information, | + | Access to Nested Knowledge Systems is managed by internal administrators who approve employees and contractors. For sensitive information, |
=== Need-to-Know: | === Need-to-Know: | ||
- | Users will be granted access to proprietary data on a need-to-know basis. That is, users will only receive access to such information | + | Users will be granted access to systems and proprietary data on a need-to-know basis, following PoLP. That is, users or groups of users will only receive access to systems and information |
+ | |||
+ | === Shared Accounts: === | ||
+ | |||
+ | The use of shared credentials by Nested Knowledge employees and contractors is prohibited. | ||
=== Removal of Users: === | === Removal of Users: === | ||
- | Individuals who are terminated, removed, or no longer in need of access to Nested Knowledge information systems will be removed from all systems within 24 hours in most cases, and within 72 hours under special circumstances. Individual’s data contributions will be retained and anonymized. | + | Individuals who are terminated, removed, or no longer in need of access to Nested Knowledge information systems will be removed from all systems within 24 hours in most cases, and within 72 hours under special circumstances. |
=== Access for Non-Employees: | === Access for Non-Employees: | ||
Individuals who are not employees, contractors, | Individuals who are not employees, contractors, | ||
+ | |||
+ | === Access for Law Enforcement and Authority: === | ||
+ | |||
+ | Nested Knowledge will not disclose information unless: | ||
+ | |||
+ | * Making such a disclosure is a legal obligation, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. | ||
+ | * A serious risk of imminent harm to individuals exists that justifies compliance with the Data Disclosure Requests | ||
+ | |||
+ | Request for data disclosure shall be immediately escalated to the Chief Technology Officer and the Information Security Team via email or Slack alert. | ||
+ | |||
+ | When the Data Disclosure Request is related to personal information of a Nested Knowledge Customer, Nested Knowledge will request that the Authority send the request directly to the customer. Should the Authority agree, Nested Knowledge will provide assistance to the customer so that they can fulfill the Request. | ||
=== Unauthorized Access: === | === Unauthorized Access: === | ||
- | Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. | + | Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. |
=== Access Reviews: === | === Access Reviews: === | ||
- | Nested Knowledge will perform quarterly access reviews on accounts for all internal | + | Nested Knowledge will perform quarterly access reviews on accounts for all inventoried |
- | * Nested Knowledge application | + | * Cloud services providers |
- | * Shared Google Drives | + | * Cloud-based applications (Hubspot, Gitlab, etc.) |
- | * Google | + | * Google |
- | * Time tracking application | + | * Social media accounts |
+ | * Company-issued devices (laptops) | ||
+ | |||
+ | === Network Devices === | ||
+ | |||
+ | Nested Knowledge does not manage network devices in its production environment, | ||
===== IV. Audit Trails and Logging ===== | ===== IV. Audit Trails and Logging ===== | ||
Line 64: | Line 85: | ||
* Method of access | * Method of access | ||
- | All privileged commands must be traceable to specific user accounts/ Audit trails for confidential systems should be backed up and stored in accordance with Nested Knowledge back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic | + | All privileged commands must be traceable to specific user accounts. Audit trails for confidential systems should be backed up and stored in accordance with Nested Knowledge back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs will be audited on a quarterly |
=== Methods of Audit Logs === | === Methods of Audit Logs === | ||
- | Security incidents are logged by Firewalls, Servers, anti-virus solutions, | + | Security incidents are logged by firewalls, servers, anti-virus solutions, |
=== Frequency of Audit Logs === | === Frequency of Audit Logs === | ||
- | Audit logs are reviewed | + | Audit logs are reviewed |
- | + | ||
- | + | ||
- | === Segregation of Duties: === | + | |
- | + | ||
- | Segregation of duties exist between individuals responsible for approving, granting, monitoring, and reviewing access logs. | + | |
===== V. Remote Access Policy ===== | ===== V. Remote Access Policy ===== | ||
Line 84: | Line 99: | ||
=== Remote Access (application): | === Remote Access (application): | ||
- | The Nested Knowledge application is run in a VPC (for details, see Network Security Policy). This network is only accessible by release engineers who are granted SSH keys. These keys may be revoked or refreshed at any time, as necessitated by personnel changes or incidents.The VPC is only accessible through a single bastion host. | + | The Nested Knowledge application is run in a VPC (for details, see Network Security Policy). This network is only accessible by release engineers who are granted SSH keys. These keys may be revoked or refreshed at any time, as necessitated by personnel changes or incidents.The VPC is only accessible through a single bastion host. Every access to the production environment configuration results in alert emails to release engineers & engineering management. |
=== Remote Access (internal): === | === Remote Access (internal): === | ||
- | Nested Knowledge has no internal network for employees, therefore remote access is not applicable. Should Nested Knowledge establish a network, access to the network through remote access will be managed by a Virtual Private Network (VPN). The VPN will request for username and password or some other form of advanced authentication. Remote access must conform at least minimally to all statutory requirements including but not limited to HCFA, HRS-323C, and HIPAA. | + | Nested Knowledge has no internal network for employees, therefore remote access is not applicable. Should Nested Knowledge establish a network, access to the network through remote access will be managed by a Virtual Private Network (VPN). The VPN will request for username and password or some other form of advanced authentication. Remote access must conform at least minimally to all statutory requirements including but not limited to HCFA and HRS-323C. |
=== Workstation Access Control System: === | === Workstation Access Control System: === | ||
- | All workstations used for this business activity, no matter where they are located, must use an access control system approved by Nested Knowledge. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, | + | All workstations used for this business activity, no matter where they are located, must use an access control system approved by Nested Knowledge. Employees must use company-issued devices for completing their work. Active workstations are not to be left unattended for prolonged periods of time, where appropriate, which is enforced through MDM. When a user leaves a workstation, |
- | When accessing Nested Knowledge systems | + | When accessing Nested Knowledge systems, authorized users are responsible for preventing access to any of our computer resources or data by non-authorized Users. The authorized user bears responsibility for and consequences of misuse of the authorized user’s access. |
- | === Remote | + | === Remote |
- | Remote workers must follow software licensing restrictions | + | Equipment should be located |
- | + | ||
- | === Remote Working Environmental Controls: === | + | |
- | Equipment should be located and/or protected | + | * Update default router administrator password |
+ | * Following our [[: | ||
+ | * Disable remote access | ||
+ | * Enable wireless encryption (WPA2/3) on their home network | ||
+ | * Store company devices behind locked doors | ||
- | For cloud-related access protocols, please refer to our [[: | + | Employees will be trained upon hire and updated on an annual basis. |
==== Compliance Statement ==== | ==== Compliance Statement ==== | ||
- | All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Remote Access Policy.Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination. | + | All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Remote Access Policy. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination. |
===== Revision History ===== | ===== Revision History ===== | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
- | |K. Holub|11/18/2021| | | + | |K. Holub|12/18/2023|Remote working controls added| |
+ | |K. Cowie|01/ | ||
|K. Kallmes|1/ | |K. Kallmes|1/ | ||
|P. Olaniran|10/ | |P. Olaniran|10/ | ||
- | |K. Cowie|01/ | ||
[[: | [[: | ||